Unconditionally Secure Key Distribution Based on Two Nonorthogonal States 
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We prove the unconditional security of the Bennett 1992 protocol, by using a reduction to an 
entanglement distillation protocol initiated by a local filtering process. The bit errors and the phase 
errors are correlated after the filtering, and we can bound the amount of phase errors from the 
observed bit errors by an estimation method involving nonorthogonal measurements. The angle 
between the two states shows a trade-ofi' between accuracy of the estimation and robustness to 
noises. 



PACS numbers; 03.67.Dd 03.67.-a 



cn ■ 

o : 
o . 

00 
(N 

> : 

(N . 

(N 

O 

Oh: 



X 



Quantum key distribution (QKD) provides a way to 
share a secret key between two parties (Alice and Bob) 
with very small leak of information to an eavesdropper 
(Eve). One of the simplest of such protocols is called 
B92 1], which is based on the transmission of only two 
nonorthogonal states. For a qubit channel between Al- 
ice and Bob, this protocol proceeds as follows. Alice 
randomly chooses a bit value j, and prepare a qubit in 
state \t pj) = (3 \0^) + (-l)^a|lj;), where < a < 
/3 = \/l — a^, and {\0x), is a basis (X-basis) of 

the qubit. She sends the qubit through the channel to 
Bob, who performs a measurement Mb92 with three out- 
comes j' = 0, 1, "null''. The measurement A^b92 is de- 
fined by the POVM Fq = |^i)(^i|/2, F, = |^o)(^ol/2, 
and i^nuii = where |^^-) = a|0,) - (-1)J/3|1,) 

is the state orthogonal to \(pj)- When the outcome is 
j' = null. Bob announces that to Alice and they discard 
the event. Otherwise, they take notes of their bit values 
j and j' , which should coincide in the absence of channel 
noises and Eve's intervention. Repeating this procedure 
many times, each of Alice and Bob obtains a sequence 
of bits. Then they converts the sequences into a shared 
secret key through public discussions. 

Although the QKD protocols themselves are simple, 
proving the unconditional security is quite hard, since 
Eve may make a very complicated attack such as inter- 
acting all of the transmitted qubits jointly to a big probe 
system. This task has been accomplished for the BB84 
protocol 0, which involves four states forming two con- 
jugate bases. Subsequent proofs H, ^ 111 have provided 
us more than a basic claim of security, including a beau- 
tiful interplay 0, 0| between QKD and other important 
protocols in quantum information, such as the entangle- 
ment distillation protocol (EDP) 7] and the Calderbank- 
Shor-Steane (CSS) quantum error correcting codes 
It is natural to ask about the unconditional security of 
the B92 protocol, which is conceptually the simplest of 
the QKD protocols. In contrast to BB84, it involves a 
free parameter a representing the nonorthogonality. The 
analyses of the B92 protocol is hence expected to give 
us an idea about how the nonorthogonality is related 
to the ability to convey secret information. Since the 



security proofs of BB84 rely on the symmetry of the 
protocol which is not shared in B92, it is not a trivial 
task to modify it for B92, except for the limiting case of 
|(^o|</'i)P = l/2 0. 

In this Letter, we give a proof of the unconditional 
security of the B92 protocol for qubit channels, applicable 
to any amount of nonorthogonality a. We show that 
the B92 protocol is related to an EDP initiated by a 
local filtering ^3 ■ We also develop a method to estimate 
an error rate by measuring randomly chosen samples on 
a different basis, which plays an important role in the 
proof. 

We first introduce a protocol involving EDP, which is 
then shown to be reduced to the B92 protocol. We as- 
sume that Alice initially prepares a pair of qubits AB in 
the state |^')ab = (|Oz)a|<^o)b + |1z)a|<Pi)b) /a/2, which 
is nonmaximally entangled. Here Z-basis {|0z),|l2)} 
of a qubit is related to the AT-basis by \jz) = [\0x) + 
{—iy\lx)]/V^. Alice sends Bob the qubit B through a 
quantum channel. Suppose that Bob performs a "local 
filtering operation" on qubit B, described by the Her- 
mitian operator Fm = a\0x)B{0x\ + l3\lx)B{ix\- When 
the state of AB was p, the qubit B passes the filter- 
ing with probability p — Tr[p(lA (8) ^fii)^], resulting 
in the filtered state [(1a ® Fm)p{lA ® ^fii)]/p- When 
the channel is noiseless and Eve does nothing, this pro- 
cess is just the Procrustean method mentioned in [ll|: 
the filtered state should be the maximally entangled 
state (EPR state) |$+) = (|0,)a|0,)b + |1.)a|1x)b)/V2, 
since the initial state is also written as |^')ab = 
f3\0x)A\0x)B + a\ix)A\WB- When noises are present, 
the filtered state may include a bit error, represented by 
the subspace spanned by {\Oz)a\'^z)bA'^z)a\Oz)b}, and 
a phase error, represented by the subspace spanned by 
{|Oa;)Allx)B, 1 1^;) A I Oa;)B } • In parallel to the protocols for 
BB84 y,|5|, we can consider the following protocol that 
will work under the presence of noises. 

Protocol 1: (1) Alice creates 2A^ pairs in the state 
I^)ab^' ^nd she sends the second half of each pair to 
Bob over a quantum channel. (2) By public discussion, 
Alice and Bob randomly permute the position of 27V pairs 
of qubits. (3) For the first N pairs (check pairs), Alice 
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measures her halves on Z-basis, and Bob performs mea- 
surement A^B92 on his halves. By public discussion, they 
determine the number Tiorr of errors in which Alice found 
jO^) and Bob's outcome was 1, or Alice found with 
Bob's outcome 0. (4) For the second N pairs (data pairs), 
Bob performs the filtering Jgi on each of his qubits, and 
announces the total number nfn and the positions of the 
qubits that have passed the filtering. (5) From riorr and 
nfii, they estimate an upper bound for the number of bit 
errors ribit , and an upper bound for the number of phase 
errors nph, in the nai pairs. If these bounds are too large, 
they abort the protocol. (6) They run an EDP that can 
produce rikcy nearly perfect EPR pairs if the estimation 
is correct. (7) Alice and Bob each measures the EPR 
pairs in Z-basis to obtain a shared secret key. 

For the same reason as in the proofs of BB84 0, , if 
the estimation in step (5) is correct except for a proba- 
bility that becomes exponentially small as N increases, 
the final shared key is essentially secure. Intuitively, this 
comes from the fact that Eve has no clue on the outcomes 
of a measurement performed on an EPR pair, since it is 
in a pure state by definition. We will soon show how to 
estimate the upper bounds for the errors in step (5). Be- 
fore that, we will show that Protocol 1 can be reduced to 
the B92 protocol. 

According to the discussion by Shor and Preskill , we 
can use a one-way EDP based on CSS codes in step (6). 
Then, they have further shown that the whole extraction 
process of the nkey-bit final secret key from the noisy 
rifii pairs in steps (6) and (7) can be equivalently accom- 
plished by .Z-basis measurements directly performed on 
Alice's and Bob's qubits of the rifii noisy pairs, followed 
by a public discussion. Hence, without affecting the se- 
curity, we can assume that Alice performs Z-basis mea- 
surements immediately after she has prepared the state 
|4')ab, and that Bob performs Z-basis measurements im- 
mediately after he has performed the filtering. Protocol 1 
is thus reduced to a prepare-and-measure protocol. Now, 
note the following relation for f — 0, 1, which is easily 
confirmed: 

Fm\3Mz\Fm = F,,. (1) 

This implies that the filtering followed by the Z-basis 
measurement is, as a whole, equivalent to the measure- 
ment M.B92- Hence in the reduced protocol Alice simply 
sends |(po) and \ipi) randomly, and Bob performs A^b92 
on all of the received qubits, which completes the reduc- 
tion to B92. 

The estimation in step (5) can be done as follows. The 
number of bit errors rtbit could be determined if Alice and 
Bob exchange their measurement results in Z-basis. But 
this is the same process as the one performed on the first 
A'' pairs to obtain rtorr, due to the relation Thanks 
to the random permutation in step (2), the check pairs 
are regarded as a classical random sample from the 2N 



pairs. Then, from a classical probability estimate, we 
may assume 

l^^bit - ^orrl < Nei. (2) 

For any strategy by Eve, the probability of violating this 
inequality is asymptotically less than exp(— A^e^). 

The estimation of the phase errors is far more compli- 
cated. To do this, we derive several inequalities by as- 
suming gedanken measurements that are not really done 
in the Protocol 1. The number of phase errors nph could 
be determined if Alice and Bob measure the nei pairs in 
AT-basis just after step (4). Since the filtering operator 
-Ffii is also diagonal in AT-basis, nsi and nph could also be 
determined by another measurement scheme, in which 
Alice and Bob perform AT-basis measurements first, and 
then Bob applies the filtering Ffi\. Note that this filtering 
can be done classically by Bernoulli trials since the out- 
comes of the AT-basis measurements are available. This 
new scheme also produces the numbers nij{i,j = 0, 1) of 
pairs found in state \ix)A\jx)B- Since n^ and nm (nph) 
are related by Bernoulli trials, we have 

|a^("oo + "lo) + /3^("-oi + "-ii) " nml < Ne2 (3) 
\a^nio + P^noi-nph\<Ne3, (4) 

which are violated with probability asymptotically less 
than exp(— 2A^e2) and exp(— 2A^e|), respectively. 

Next, recall the fact that neither the noisy channel nor 
Eve can touch the qubits held by Alice. This implies that 
the marginal state of Alice's data qubits before the mea- 
surements should be pf ^, where pA = TrB(|^')AB(^'|) = 
P'^\Ox)A{Ox\ + a'^\^x)A{'i^x\- We can thus regard nio + nn 
as a result of a Bernoulli trial, obtaining 

\a^N-{nw + nn)\<Nei (5) 

with probability of violation asymptotically less than 
exp{-2Nel). 

Let us switch to the measurement on the check pairs 
(the first A^ pairs). The element of POVM corresponding 
to the error in step (3) is given by Herr — (|rii)(rii| + 
|roi)(roi|)/2, where iFn) = a|0^)A|0,)B - /9|Ua|Ub 
and iFoi) = P\Ox)a\Ix)b - a|lx)A|Ox)B- This is readily 
derived from the relation |jz)a|^j)b = iFn) — (—!)■' jFoi). 
Let us add two more states, |Foo) = P\0x)a\0x)b + 
a|l:,)A|lx)B and |Fio) = a|0^)A|l:.)B + Ja|oJb, to 
form a basis. While nen- is determined from local mea- 
surements in step 3, the same outcome could be obtained 
by performing globally the complete measurement on ba- 
sis llFy )}, followed by a Bernoulli trial with probability 
1/2. Let rriij be the number of pairs foimd in \Tij). Then 
we have 

|(toii -I- moi)/2 - nerri < A^es, (6) 

which is violated with probability asymptotically less 
than exp(-2A^e^). 
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Since {\Toi), \Tio)} and {|0:c)a|1x)b, |1x)a|0x)b} span 
the same subspace, we can relate mio + moi and nio+rioi 
by the classical probability estimate as in Eq. Q : 



|(mio + moi) - {nio + noi)\ < Nee, 



(7) 



which is violated with probability asymptotically less 
than exp(— iVe|). We would like further to relate 
nT-oi/irnoi + mio) to noi/(noi + ".io)j but we can no 
longer apply classical arguments here, since IFqi) and 
|Oa;)A|la;)B are nonorthogonal. We will thus extend the 
classical probability estimate to the quantum case in the 
following. 

The problem to be considered is as follows. M = 
Mq + Ml qubits are prepared in a state, and the position 
of qubits are then randomly permuted. Then, each of 
the first Mq qubits is measured on an orthogonal ba- 
sis {|0, 0), |0, 1)}, and the rest of Mi qubits are mea- 
sured on another basis {|1, 0), |1, 1)}. What we ask is 
the bound for the probability p{So, Si), with which MqSq 
qubits are found to be in |0, 1) and MiSi qubits are found 
to be in Let p be the state after the permuta- 

tion, and \x) = 1^1 j)*^"'''' J where rib^i = M^Sb and 
iT-bfl = Mi,{l — (5fc). Then, the probability is given by 



p{6o,si)^{x\p\x) n 



Mbl 



b=0.1 



(8) 



The technique used [l^ ] for problems involving i.i.d. 
quantum sources is also useful here, although in our case 
the state p may be highly correlated. The Hilbert space 
for the M qubits, H'^^' , can be decomposed as H®^ = 
®x^\ ^ V\ such that any operator of form JJ'^^ with 
U e SU{2) is decomposed as C/®*^ = 0^ Trx{U)(g)l, and 
any unitary operator Sp corresponding to permutation 
p e Sm is decomposed as Sp = ® ^a(p)- Here 

the maps nx and ttx are irreducible representations of 
SU{2) and Sm, respectively. The index A runs over all 
Young diagrams with two rows and M boxes, namely, 
\ = {M -k,k) with fc = 0, 1, . . . , [M/2J . We will thus 
use k instead of A below. For later use, we derive a 
convenient form of the projection onto Uk®Vk- Let 
us parameterize the pure states of a qubit as |n), using 
the unit vector n in the Bloch sphere. Define a state on 
n®^ as|/c,n) = |*)®'=|n)®*^-2'=, where I*) is the singlet 
state (|0)|1) - |1)|0))/V^ of two qubits. The state |A:,n) 
is contained in subspace Uk®Vk- Consider the operator 
with unit trace 
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j dnSp\k,n){k,n\Sl. 



(9) 



Since it commutes with any Sp and any U £ SU{2), it 
should be equal to {d!jfd^)~^Pk, where dJjf = dimUk and 
= dimVfc. 

Since p commutes with any Sp, it can be decomposed 
as p = ®k(Pk/dk)Pk ® 1, where J^Pk = 1 and Trpk = 1. 



Then, {x\p\x) < ZkiPk/dDixlPklx)- Substituting the 
form of © to Pfc, we have 



(xHx) <max^5]|(x|5p|fc,n) 



(10) 



RecaU that |x) takes the form of \x) = 0^ 
where v represents the double index {b,j). Then, 
KxliSplA:, n)p becomes the product of (S'j/i/')"""' and 
(r,)*% where = and = |(j/|n)|2. The 

numbers s^^i and depend on the permutation p. Let 
/^({Sfi^'lj {^i^}) be the number of different permutations 
that give the same values of {s^i,/}, {i^}. Explicitly, this 
degeneracy factor is given by 



k\ {M-2k)\ 



(11) 



Using this factor, the summation over p can be replaced 
by the summation over {s^^i}, {t^}, which take at most 
poly{M) values. Since = A/ - 2A; + 1 is also poly{M), 
we obtain 



{x\p\x) < poly{M) max -j- 

fc,n,{s„„/},{t„} M\ 

(12) 

Combining the Eqs. ((SJ), ifTTjl . and ((T^ . and 

replacing the factorials by the entropy function 
H{pi) = —J2iPi^'^SPi using the formula poZy(iV)^^ < 
exp[—NH{pi)]N\/ Yl{Npiy. < 1, we can cast the upper 
bound into the form p{do, Si) < poly{M) exp[— Mmin R], 
where the exponent R is given by 

R = H{Mb/M) + {k/M)[D{s,,,/k\S,,,/i)-2] 

+ (1 - 2k/M)[D{tJ{M ~ 2k)\Tj2) - 1], (13) 

where D is the relative entropy defined by D{pi\qi) ~ 
^jPi log2(pi/(7i). The empirical probability p^j = 
t^/{M — 2k) appearing here can be regarded as a joint 
probability over the two variables b and j, and we can 
consider its marginal probability pj = poj + pij and the 
conditional probability pb\j = Pbj/pj- We use similar 
notations for other joint probabilities Qbb'jj' = s^^'/k, 
abj = Ty/2, and Pbb'jj' = Si^^'/A. We further introduce 
a variable a, which takes three values {1,2,3}, define a 
probability by = 1 - 2k /M and ^2 = 6 = k/M, 
and define a joint probability jab over a and b, defined 
by 7i& = £,iPb, l2b = £,2qb, and 73^ = ^39,,/. Then, it is a 
bit tedious but straightforward to rewrite Eq. H13|) as 



R = {k/M)[D{qbb'\qbqb') + Yqbb'D{qjj>\bb'\f3jj'\bb')] 

bb' 

+ (1 - 2k/M) J2PbDiPj\b\ajib) + D{jabhalb) (14) 

6 

where we have used 7^ = Mb/M, ab = 1/2 and Pbb' = 
1/4. Since all terms are nonnegative, R is zero only 
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FIG. 1: (a) The optimum value of j{<^o|'/'i)P f^nd the key 
generation rate G in the depolarizing channel, (b) The error 
rates (normalized by nm) in the data qubits for the depolar- 
izing channel with p = 0.03. The estimated upper bound for 
phase errors (dot-dashed), the actual phase errors (solid), and 
the bit errors (dotted). 



if each pair of probabilities in D are identical. This 
implies = |(&,j|n)|2(Mb/M), g^, = (1/2) (M,/M), 
and qb'j' = (l/2)(A/b//Af). From the relation Ub.j = 
Mi^iPb] + 65bi + ^3qb'j'\b'=b,j'=j) we conclude that, for 
min R to be zero, it is necessary that 



<5;, = ai(fo,l|n)P + (l-a)/2 



(15) 



for a choice of |n) and < < 1, or equivalently, 
Sb = (6, l\a\b, 1) for a state a of a single qubit. Otherwise, 
p('5o,<5i) is as exponentially small as exp[— A/mini?]. 
Note that in the limit of Af ^ oo, the result is consis- 
tent with what is expected from the quantum de Finetti 
theorem 0. 

Now applying this general result to our case, we have 

sin2(6l, - 61) - 67 < sin^ cjji < sin^{0i + 6) + eg (16) 

for I = 0,1, where all the angles are defined in [0, 7r/2] by 
the relations nii/(nii -|-noo) ~ sin^ Oq, riQi / {uqi + uiq) — 
sin^ 9i, mil/ (wn -I- moo) = sin^ (^o, moi/ (moi -I- mio) = 
sin^ and = sm^9. Together with Eqs. an 
exponentially-reliable upper bound of Tiph can be found. 

In the following, we calculate the final key length in 
the limit of large N, by setting all cj to be zero. From 
Eq. 0, nbit is found to be equal to rierr- Eqs. Q~tZI) 
are now linear equations, and together with the relation 
X] "-'j ~ 12 "^ij ~ ^ ^ they can be used to eliminate riij 
and rriij. Then, the inequalities ()16|l for I — Q,l are 
combined to give 



\mi-2n,„\<Nal3f{x), 



(17) 



X) 



(/32 



a") and x = 2nph/A^ — 
ij requires that |A| < a; < 



where f{x) = Va;^ — -|- a/(T 
with A = [nm/N - 2a'^(3^)/{P'^ - 
(/9^ — a^)A. The positivity of n 

1 — 1/3^ — — A|. Solving Eq. (|17|l gives an upper bound 
riph of the number of phase errors nph, as a function of 
the observed values ncir and nm- 

The achievable length of the final key is given by 
"key = nfii[l-/i(nbit/nfii)-ft.(nph/nfii)], when nph/nsi < 



1/2 [note that positions of errors are randomized in step 
(2)]. Here h{p) = H{p, 1—p). In order to show a quanti- 
tative example of the security, we assume that the chan- 
nel is the depolarizing channel where the state p evolves 
as p ^ (1 - p)p + p/iJ2a=x,y,z'^o.p<ya, whcrc (Ta is the 
Pauli operator of a component. In Fig. ^a), we plot 
the key generation rate G = n^cy /N optimized over the 
nonorthogonality |((^o|95i)P- It is seen that our proto- 
col is secure up to p ^ 0.034, which is smaller than in 
BB84 with one-way EDP [p - 0.165) 0. In Fig.ljb), 
it can be seen that when |(<po|<<5i)P becomes smaller, the 
estimation of the phase errors becomes poorer. On the 
other hand, larger values of |((^ol'/5i)P make the signal 
more vulnerable to the noises, resulting in larger errors. 
This trade-off is in contrast to BB84, in which a good es- 
timation and small errors are achieved at the same time 
by adding two more states in the protocol. 

In summary, the B92 protocol can be regarded as an 
EDP with a filtering process, and the filtering makes the 
phase and bit errors related to each other, which enables 
us to estimate the phase errors from the amount of the 
bit errors. The estimation scheme involving nonorthog- 
onal measurements developed here will also be useful in 
practical QKD schemes having lower symmetries due to 
imperfections in the apparatus. 
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